European regulators on Tuesday sent Google a letter with 12 recommendations for shaping up its new privacy policy - a policy that most EU data regulators found too vague and too tough for users to opt out of.

The letter, which stopped short of calling Google's data collection methods illegal, follows a nine-month investigation into the company's data-collection policies led by France's Commission Nationale de l'Informatique et des Libertés (CNIL).

According to Reuters, the letter was signed by 24 of the EU's 27 data regulators, plus those from Croatia and Liechtenstein.

Google on March 1st rolled out its new privacy policy, consolidating 60+ separate policies into one and pooling data collected on individual users across its services, including YouTube, Gmail and Google+.

The letter said that the massive amounts of data sucked up by Google's far-ranging reach raises concerns about user privacy:

"Combining personal data on such a large scale creates high risks to the privacy of users."

"Therefore, Google should modify its practices when combining data across services for these purposes."

According to Sarah DiLorenzo, writing for the AP, the EU has three main beefs with Google's new privacy policy:

It’s not clear enough in explaining to users what data is collected and how it will be used;

It’s too difficult for users to opt out of data collection and combination; and

Google doesn’t always say how long it will hold onto data.

Beyond those concerns, the commission noted that Google treats all collected data the same, regardless of whether it's a simple search term or a credit card number, and regards any and all data types as fair game for any purpose stated in its new policy.

Regulators would prefer to see Google customize its treatment of data as appropriate to the type of data collected, to get more concrete about now-hazy parts of the policy, and to enable users to more easily detach themselves from the search giant's wide and sticky data web.

For example, as it now stands, the regulators pointed out, users have to take six actions to get out of targeted advertising.

Given Google's ever-expanding data universe and the overwhelming number of nooks and crannies a user's data can get wedged into, getting a handle on one's privacy can indeed be daunting.

Some examples:

Advertising: Google shares non-personally identifiable information (PII) between Google services and ad networks by default so as to personalize ads.

Street View: Images including those of men leaving strip clubs, protesters at an abortion clinic and sunbathers in bikinis have caused concern for privacy advocates. Street View has been banned in India and in Germany, while Australia has ordered Google to destroy personal data harvested by its image-collecting cars.

Web History: Google keeps track of search terms and items clicked on when using Google services.

It's a bit of work to track them all down and opt out, as you can see when you check out Chester's guide.

Indeed, one problem the EU regulators raised in the letter is that the onus is on the user to figure out how to opt out of Google's myriad data-collection techniques.

They'd rather see Google instead ask users for explicit consent when bundling data from its services, the letter said.

The regulators have listed 12 "practical recommendations" for Google to amend its privacy policy, the first five of which address how Google tells people about how their personal information and browsing records will be used, with a particular emphasis on location data and credit card data.

The BBC reported that one of its sources at Google said that the company would look closely at the recommendations but that the findings weren't as serious as some industry watchers had predicted.

Google’s global privacy counsel, Peter Fleischer, told the AP that the company is reviewing the commission’s report but believes its policy respects European law.

Isabelle Falque-Pierrotin, president of the French National Commission on Computing and Freedom, told the AP that Google has three to four months to respond, but there's no hard deadline.

But if Google fails to comply with the regulators' recommendations, it could push the situation into what she called a "contentious phase", she said, without giving details.

Does making its data-collection techniques more understandable work in Google's favor? Hardly. User ignorance is bliss for Google's bottom line.

As one industry watcher told the BBC, if people realised just how much data Google is amassing, they'd opt out en masse, threatening the company's bountiful ad revenues.

Auke Haagsma, a director for the Initiative for a Competitive Online Marketplace (Icomp), told the BBC that offering all of Google's tasty free services and reaping profits off the ads those services dish out just isn't compatible with data collection clarity:

"In Google's business model there is an inherent conflict of interest."

"On the one hand Google wants to offer good services to users, but on the other it's being paid for by advertising."

"Google is collecting so much data. If people realise that, they are afraid people will say no."

I have one friend, Tom Henderson, who went cold turkey on Google services in the spring, cutting himself out of the rich Google tapestry that make our lives so comfortable that many of us roll over and show our bellies to get them.

He's detailed the pain of the Google divorce and outlined a list of replacement services he uses, though as of the spring, he just couldn't find a good YouTube substitute.

2 Responses to EU tells Google to make its new privacy policy clearer and to give users easier opt-out

Using Ghostery in FF stops these tracking cookies that are used for this information gathering - but it also blocks the polls that Sophos like to having some of these items.

Google have a history of poor security and walking rough-shod all over personal privacy and safety, so it's right that the EU should force them to make users opt-in rather than opt-out - but they stopped short of that this time. Why?

Dropped Android phones for Nokia windows phone. Switched Gmail to Live. At least you can easily opt out and delete bloatware you don't want. People are starting to see behind the curtain and say enough.

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.